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Reference  for  a preliminary  ruling  from  High  Court  of  Ireland  (Ireland)  made  on  25  July  2014  - 
Maximillian  Schrems  v Data  Protection  Commissioner 

(Case  C-362/14) 

Language  of  the  case:  English 

Referring  court 

High  Court  of  Ireland 

Parties  to  the  main  proceedings 

Applicant:  Maximillian  Schrems 

Defendant:  Data  Protection  Commissioner 


Questions  referred  by  the  Irish  High  Court: 

"Whether  in  the  course  of  determining  a complaint  which  has  been  made  to  an  independent  office 
holder  who  has  been  vested  by  statute  with  the  functions  of  administering  and  enforcing  data 
protection  legislation  that  personal  data  is  being  transferred  to  another  third  country  (in  this  case,  the 
United  States  of  America)  the  laws  and  practices  of  which,  it  is  claimed,  do  not  contain  adequate 
protections  for  the  data  subject,  that  office  holder  is  absolutely  bound  by  the  Community  finding  to 
the  contrary  contained  in  Commission  Decision  of  26  July  2000  (2000/520/EC1  ) havingregard  to 
Article  7,  Article  8 and  Article  47  of  the  Charter  of  Fundamental  Rights  of  the  European  Union  (2000/C 
364/012 ),  the  provisions  of  Article  25(6)  of  Directive  95/46/EC3  notwithstanding? 

Or,  alternatively,  may  and/or  must  the  office  holder  conduct  his  or  her  own  investigation  of  the 
matter  in  the  light  of  factual  developments  in  the  meantime  since  that  Commission  Decision  was  first 
published?" 


1 Commission  Decision  of  26  July  2000  pursuant  to  Directive  95/46/EC  of  the  European  Parliament 
and  of  the  Council  on  the  adequacy  of  the  protection  provided  by  the  safe  harbour  privacy  principles 
and  related  frequently  asked  questions  issued  by  the  US  Department  of  Commerce  (notified  under 
document  number  C(2000)  2441) 

OJ  L 215,  p.7 

2 Charter  of  fundamental  rights  of  the  European  Union 
OJ  C 364,  p.  1 

3 Directive  95/46/EC  of  the  European  Parliament  and  of  the  Council  of  24  October  1995  on  the 
protection  of  individuals  with  regard  to  the  processing  of  personal  data  and  on  the  free  movement  of 
such  data 


OJ  L 281,  p.  31 


Initial  Pleadings 

Mr  Travis  (for  Max  Schrems): 

See  original  notes,  published  on  europe-v-f acebook.org. 

• Mr  Schrems  is  an  EU  facebook  users 

• Complaint  is  about  transfer  from  Ireland  to  the  US 

• Data  transferred  to  US  is  subject  to  "mass  & indiscriminate  surveillance" 

o = processing  incompatible  with  fundamental  right  to  privacy 

• More  serious  than  Data  Retention  (Digital  Rights  Ireland  Case  Law): 

o The  same  principles  apply  a fortiori  to  the  far  more  egregious  breach  which  occurs 
now  (in  DRI  there  were  still  at  last  some  limitations  / judicial  oversight  + was  not 
about  content) 

o US  laws  lack  any  similar  safeguards  + allows  access  to  content  of  Mr  Schrems  data, 
o Not  just  disproportionate,  but  the  essence  the  right  to  privacy  is  infringed 

• Re:  invalidity  of  Safe  harbor 

o Decision  violates  both  its  own  legal  basis  (article  25(2)),  but  also  with  higher  ranking 
EU  law 

o Measures  based  Directive  must  comply  with  fundamental  rights 
o Right  to  privacy  offers  protection  against  both  public  and  private  infringements 
o Validity  was  always  contested  by  Mr  Schrems  - opposing  views  are  wrong, 
o Says  CJEU  is  entitled  to  consider  validity  of  Safe  Harbor,  even  though  this  was  not 
explicitly  asked  by  the  referring  court  (cites  Schwa rze  case) 

• There  is  a duty  on  national  DPAs  and  EU  institutions  to  protection  fundamental  right  of 
privacy 

o Commission  must  interpret  competence  in  article  25  in  light  of  overriding  objective 
of  protecting  privacy 

o National  DPAs  are  bound  to  apply  national  laws,  including  fundamental  rights,  and 
must  carry  out  independent  investigation 

o It  would  be  contrary  to  "independence"  if  national  DPAs  were  "absolutely  bound"  to 
EC  adequacy  decisions 

• Safe  Harbor  requires  violations  of  US  law  (via  SHPs)  (cites  article  3-4  decision) , this  is  wholly 
unacceptable  / prevents  national  DPAs  from  effectively  fulfilling  their  duties;  benchmark 
should  be  EU  law 

o So  SH  is  invalid  in  and  of  itself 

o However,  if  the  court  considers  Safe  Harbor  to  be  valid  in  principle,  DPAs  should  be 
required  to  verify  in  in  particular  instances  when  presented  with  reasonable 
complaint 

• An  adequacy  decision  must  fulfill  both  requirements  of  article  25(2)  and  (6) 

o Material:  Adequate  level  of  protection 

o Formal:  Protection  must  come  from  national  law  or  binding  international 
commitment 

■ SHPs  / FAQs  are  a merely  self-styled  statement  by  US,  not  binding 
international  commitment  as  under  Vienna  convention 
o Adequate  level  of  protection  requires  effective  remedy 

• Commission  has  itself  admitted  that  Safe  harbor  is  broken  / needs  to  be  fixed 


• If  you  were  to  invalidate,  all  it  would  do  is  place  US  companies  in  same  position  of  as  all  other 
companies  in  the  world  and  US  companies  who  have  not  "self-certified"  their  compliance 
with  SHPs 

Irish  Data  Protection  Commissioner 

• With  powers,  there  come  limitations.  Limitations  are  the  main  theme  of  their  submission. 

• This  case  is  about  powers  of  DPAs  and  the  limits  of  those  powers 

• DPC's  are  first  and  foremost  bound  by  national  laws  which  establish  their  office,  which 
requires  them  follow  community  finding 

• DPC  cannot  strike  down  national  law  / directive  / EU  act 

• DPC  is  bound  by  complaint  + evidence  submitted  ->  Mr.  Schrems  wanted  to  discuss  safe 
harbor  in  a general  way,  he  did  not  allege  that  Facebook  actually  violates  Safe  Harbor,  nor 
that  he  was  in  any  specific  way  harmed 

o Same  applies  for  Irish  Court,  Max  didn't  invoke  invalidity  of  directive  / safe  harbor 
there 

• Now  he's  trying  to  expand 

• Court  did  not  ask  validity.  Safe  Harbor  is  not  on  the  table.  DPC  asks  court  to  respect  limits  of 
the  case. 

• The  EU  has  decided  to  regulate  international  transfers  with  US  through  the  EC 

• Safe  Harbor  is  a "negotiated  compromise"  , not  complete  equivalence. 

• But  questions  of  no  longer  be  valid  are  to  be  decided,  reviewed,  negotiated  by  EC 

o Not  up  to  DPAs 

• The  DPA  or  High  Court  didn't  have  any  real  evidence  submitted  to  it  that  enforcement 
mechanism  will  not  work,  just  newspaper  report 

• Charter  of  fundamental  rights  does  not  allow  national  DPAs  to  disregard  national  law  or 
other  EU  laws 

• It's  a matter  of  international  diplomacy,  better  done  by  Commission  than  by  national  DPA 
Digital  Rights  Ireland  (Amicus) 

• Safe  Harbors  is  imposed  on  Member  States  as  an  absolute,  they  cannot  call  into  question 

• Article  3(l)(b)  of  SafeHarbor  would  not  be  a solution. 

• However,  safe  harbor  was  adopted  pursuant  to  directive  + is  instrument  of  community 
legislation  (tertiary  instrument) 

Must  be  valid  / compliant  with  higher  ranking  law 

Independent  supervision  of  directive  requirements  + charter  is  required 

• Court  has  itself  invalidated  decisions  because  Commission  exceeded  its  authority 

• The  power  of  the  DPC , including  power  to  suspend  international  transfers,  is  not  affected  by 
EC  decisions 

• Regulation  45/2001 

• EDPS  may  conduct  investigations  on  its  own  initiative  + is  not  limited  to  instances  where  EU 
is  acting  as  data  controller,  but  also  where  EU  adopts  decisions  affecting  personal  data 

• Article  25(2):  national  law  and/or  international  commitment 

• However,  not  national  laws  on  the  books  are  not  only  factor  to  consider,  Commission  must 
consider  adequacy  of  practices  as  well 

• Commission  itself  has  raised  significant  concerns  with  regard  to  actual  protection  offered  by 
Safe  Harbor. 


• Adequate  level  of  protection  must  include  effective  judicial  protection.  However,  FAQ11 
offers  companies  choices,  none  of  which  are  judicial  protection 

• FTC  has  never  analyzed  complaints  regarding  safe  harbor  pursuant  to  EU  complaint 

• Companies'  self-certification  is  not  a finding  of  adequacy,  it's  just  a decision  to  stop  looking 

• Formal  requirements  of  Article  25(6)  not  fulfilled,  only  an  ad-hoc  certification. 

• Commission,  if  necessary,  must  renegotiate,  safe  harbor  (article  3(4)).  The  CJEU  may  also 
evaluate  if  the  EC  doesn't 

• DRI  acknowledges  difficulty  of  what  happens  when  1 national  DPA  were  to  invalidate. 
Therefore,  the  EDPS  is  responsible  for  ensuring  harmonized  approach  among  national  DPAs 

• Commission  is  not  itself  an  independent  supervisor  of  rights,  especially  for  its  decision,  there 
must  be  oversight 

Ireland 

• Validity  not  brought  up  by  the  Irish  court. 

• Commission  SH  decision  binds  national  Member  States,  s 11  of  the  DPAct  is  consequently  an 
implementation  of  EU  law. 

• It  is  for  the  COM  to  make  decision  on  the  „adequacy"  under  Article  25.  DPC  must  act  within 
the  limits  of  the  law. 

• SH  satisfies  requirements  of  Directive  95/46 

• Article  25  scheme  is  predicated  upon  the  EC  making  findings  of  adequacy,  no  similar  power  is 
afforded  to  DPAs  in  article  28,  and  DPAs  must  act  within  the  limits  of  their  powers 

• EPDS  does  not  have  any  express  formal  power  of  review  for  EC  decisions 

• EU  cannot  impose  its  standards  unilaterally  on  third  countries,  this  is  why  article  25  does  not 
require  an  "equivalent"  level  of  protection,  but  an  "adequate"  level  of  protection 

• As  long  as  EC  doesn't  repeal  or  suspend,  national  DPAs  must  recognize  - Member  States 
cannot  unilaterally  undermine 


Belgium 

• There  is  no  hierarchical  order  between  the  chapter  on  supervision  and  chapter  on  transfer 

• Chapter  of  Directive  95/46:  Rules  on  transfers  are  not  overriding  the  rules  on  the 
independent  authority. 

• In  fact,  supervisory  authorities  are  endowed  with  power  to  supervise  compliance  with  the 
directive 

• Purpose  of  EC  adequacy  decision  is  to  provide  legal  certainty  and  are  binding  for  Member 
States  and  part  of  the  legal  framework  which  DPAs  are  in  principle  bound  to  apply  it. 
However,  adequacy  decision  are  of  indefinite  timespan,  and  circumstances  may  change.  And 
Member  States  are  obliged  to  ensure  continuous  level  of  protection  if  there  are  specific 
circumstances  indicating  there  is  no  longer  adequate  level  of  protection,  DPAs  are  not 
absolutely  bound  by  adequacy  decisions 

• Circumstances  changed  for  SafeHarbor.  No  explicit  duty  to  review  SH  in  the  law,  but  general 
obligation  to  do  so. 

• The  types  of  surveillance  raised  in  this  case  do  go  against  the  essence  of  the  right  to  privacy, 
as  confirmed  by  DRI 

• If  there  is  a fundamental  violation  of  fundamental  rights,  the  COM  decision  cannot  preclude 
the  DPA  to  take  action. 


• But  there  must  be  imminent  risk  + clear  harm.  Article  3 - Grave  harm  is  satisfied  if  Article  8 
CFR  is  violated.  Article  3 if  asked  for  secondary  harm"  is  against  Art  8.  If  this  is  not 
established  in  the  case  at  hand  by  Snowden  revelations,  it  is  hard  to  imagine  what  would. 

• PRISM  is  a manifest  violation  of  fundamental  rights.  If  DPAs  is  are  deprived  of  action  this  is 
not  implemented. 

• Recommends  answering  the  question  referred  in  the  negative 
Austria 

• EC  adequacy  decisions  are  not  applicable  in  national  laws,  Directive  says  that  Member  States 
shall  take  the  measures  necessary,  not  blindly  follow  it. 

• Positive  adequacy  decision  can  be  transformed  in  different  ways  by  the  MS  (copy  into 
national  law,  or  reference  in  the  law..) 

• Article  25(6)  does  not  contain  express  obligation  on  Commission  to  evaluate  ongoing  of 
adequacy  of  the  level  of  protection,  but  there  is  an  implicit  one  under  higher  ranking  law.  If 
the  Commission  fails  to  do  so,  there  is  a possibility  for  individual  Member  States  to 
investigate  and,  if  necessary,  to  take  additional  restrictive  measures.  There  are  indications 
that  this  is  necessary. 

• Opposed  to  Ireland,  AT  thinks  that  there  has  to  be  way  to  suspend  flows. 

• „We  expressly  contest  the  view  of  Ireland"  - Article  3 is  an  „emergency  exit",  any  may  be 
used,  but  Article  3 „emergency  exit"  too  narrow,  given  the  four  requirements  in  Art  3(l)(b). 
Article  3 allows  basically  no  independent  review. 

• Practical  effectiveness  needs  to  be  at  forefront. 

• Again:  vs.  Ireland:  This  is  not  about  expanding  EU  laws  to  the  US,  but  providing  basic  rights. 

• We  are  not  looking  at  third  countries  and  trying  to  compel  the  mto  adopt  EU  law,  what  we 
are  doing  is  asking  to  avoid  negative  impact  on  fundamental  rights  of  EU  citizens 

• The  SafeHarbor  has  a very  complicated  structure,  even  for  experts.  AT  refers  to  Mr  Schrems 
submission  (expert  paper  by  Prof.  Boehm). 

• Effective  remedy  is  a core  requirement  of  Directive  (again  vs.  Ireland),  cannot  just  be  lower... 

• In  framework  agreement  (third  pillar):  effective  of  judicial  and  administrative  remedy 

• Safe  harbor  is  not  US  law  nor  does  it  create  international  commitment,  so  there  is  actually  no 
basis  whatsoever  for  the  EU's  SH  decision!  SH  decision  should  be  repealed 

• SafeHarbor  is  a „negative  decision".  „Safe  Harbor  is  just  a safe  harbor  for  data  pirates". 

• SafeHarbor  was  never  legal.  The  decision  has  to  be  invalidated,  maybe  with  a grace  period. 

Poland 

• SH  is  based  on  the  Directive,  so  should  be  interpreted  in  light  of  the  Directive  as  much  as 
possible.  The  directive  has  priority  over  the  SH  decision. 

• So  a commission  decision  cannot  prevent  national  DPAs  from  exercising  powers  with  which 
they  are  endowed.  If  there  are  provision  in  SH  which  unduly  restrict  powers  of  DPA,  priority 
should  be  given  to  Directive's  provisions  on  powers  of  national  supervisory  authorities. 

• A commission  decision  is  not  incontestable.  There  has  to  be  a security  mechanism. 

• The  list  of  cases  when  data  flows  can  be  suspended  can  be  defined  as  in  Art  3 of  the 
SafeHarbor,  but  not  in  such  a way. 

• Poland  does  not  a priori  exclude  the  conditions  imposed  by  SH  upon  national  interventions, 
but  the  restriction  is  not  absolute  and  presumption  of  adequacy  must  be  rebuttable.  The  SH 
decision  must  allow  for  mechanism  to  suspend  ; national  DPAs  must  have  possibility  to 
conduct  investigations  and  if,  as  a result  of  such  an  investigation,  finds  that  a given 


organizations  does  not  provide  an  adequate  level  of  protection,  than  the  national  DPA  must 
have  the  power  to  suspend  vis-a-vis  that  organization  in  the  event  of  the  absence  of  a 
decision  to  suspend  transfers  by  EC 

• The  will  of  the  EU  legislature  in  Art  25(2)is  an  overall  adequacy  concept.  So  judicial  review  in 
the  US  is  necessary  (ref.  to  Article-29-WP  documents). 

• Suspension  of  flows  under  SafeHarbor  must  be  possible,  when  fundamental  rights  are 
infringed. 


(First  break) 


Slovenia 

• SH  decision  requires  MS  to  not  interfere  with  its  operation.  But  this  does  not  prevent 
national  DPAs  from  carrying  out  their  independent  investigations. 

• The  SH  decision  is  an  implementing  act,  having  directive  95/46  as  its  basis.  The  powers 
bestowed  on  DPAs  through  Directive  thus  trump  any  provisions  of  SH  decisions  in  case  of 
incompatibility 

• Art  25  „adequacy"  is  not  just  laws,  but  overall  assessement.  Judaical  review  on  EU  standards 
are  relevant. 

• The  Commission  is  not  limited  to  assessment  of  statutes,  but  must  also  assess  practical 
implementation. 

• EU  citizens  must  have  effective  access  to  remedy,  in  accordance  with  EU  standards 

• SafeHarbor  was  initially  compliant  in  2000,  because  MS  have  not  sued  the  COM  overit  [sic], 

• At  the  time  of  adoption,  SH  decision  was  in  line  with  requirements  of  the  Directive.  But 
findings  in  latest  EC  communications  do  point  to  violations  of  human  rights  in  transfer  to  US. 
The  burden  of  proof  incumbent  upon  individuals  should  not  be  so  high.  Substantial  likelihood 
of  breach  is  sufficient. 

• On  Art  3 in  SH:  No  overly  great  burden  on  citizens  to  proof  surveillance. 

• National  supervisory  authorities  can  act,  regardless  of  whether  EC  acts  or  not. 

• Regulation  45/2001  is  not  suitable  basis  upon  which  EDPS  could  act  independently 

United  Kingdom 

• Member  States  must  take  all  measures  necessary  to  give  effect  to  an  EC  assessment 
adequacy.  This  is  natural  reading  of  article  25(6) 

• DPAs  are  fully  bound  with  adequacy  decisions. 

• Direcitve  as  whole  aims  to  protect  rights,  but  also  to  support  free  flow  of  data. 

• Article  25  empowers  commission  to  adopt  decisions  to  avoid  different  approaches  / findings 
across  member  states 

• Cross  border  data  flows  are  necessary  for  expansion  of  international  trade 

• The  commission's  ability  to  negotiate  effectively  is  predicated  upon  EC  position  to  have  the 
power  to  reach  a common  and  binding  assessment  of  adequacy.  The  duty  of  each  member 
state  is  therefore  to  give  effect. 

• Can  EC  prevent  national  DPAs  from  exercising  their  own  powers?  DPAs  must  comply  with 
adequacy  decisions  adopted  by  EC.  It  cannot  prohibit  transfer  on  the  basis  of  inadequacy  of 
laws/commitments.  However,  this  does  not  prevent  DPAs  from  verifying  whether  a specific 
individual  transfer  fails  to  offer  adequate  level  of  protection,  even  if  it  is  generally  covered  by 
an  adequacy  decision.  DPAs  can  use  their  powers  to  investigate  all  their  powers  to 
investigate  specific  instances  of  breach.  DPAs  thus  preserve  ability  to  investigate,  and  if 


necessary  to  suspend,  international  transfers  specific  international  transfers.  These  then  are 
in  the  end  questions  of  lawfulness  in  a specific  instance,  not  of  general  assessments  of 
adequacy 

• Binding  nature  of  SafeHarbor  does  not  mean  DPA  cannot  suspension  under  Article  3(l)(b)  - 
see  Article  2 of  SH  as  well.  Authorities  may  also  assess  adequacy  having  regard  to  factors 
than  other  domestic  law  or  international  commitments.  In  other  words,  adequacy  decision 
does  not  offer  carte  blanche 

• DPAs  preserve  their  power  to  assess  compatibility  with  fundamental  rights  in  individual 
instances 

• Can  EC  subject  DPA's  exercise  powers  to  conditions?  Nothing  prevents  an  enabling  provision 
(e.g.  to  confirm  in  an  individual  case) 

• With  regard  to  EDPS'  power:  no,  there  is  no  role  for  EDPS  here,  their  power  is  only  for 
processing  by  institutions  (not  private  data  controllers) 

• Must  there  be  effective  legal  remedy  under  for  EU  individuals  in  the  laws  of  the  third 
country?  Yes.  But  should  also  be  available  within  the  EU,  as  the  origin  of  the  complaint  is  the 
transfer  from  the  EU 

• SH  decision  did  comply  with  fundamental  rights  at  the  moment  of  adoption.  The  EC  recent 
communications  don't  really  change  anything,  they  are  just  policy  documents  + there  is  no 
affirmative  obligation  on  EC  to  suspend  SH  in  light  of  these  findings,  especially  as  the  position 
of  the  EC  is  that  improvements  can  be  made 

• UK  is  of  opinion  that  CJEU  has  no  basis  to  strike  down  SH  decision  + that  doing  so  would 
undermine  legal  certainty. 

• EDPS  has  no  authority  to  invalidate  SH 

• Fragmentation  is  a problem  if  SH  is  invalidated. 

European  Parliament 

1)  About  the  effects  of  an  EC  adequacy  decision 

• The  effects  of  an  adequacy  are  limited,  as  defined  by  EU  legislature  + subject  to  the  Charter 

• Article  25(1)  sets  up  a binary  situation:  either  there  is  an  adequate  level  of  protection,  or 
there  is  not  ("like  a light  switch").  The  default  position  is  that  it  is  not. 

• An  EC  adequacy  decision  offers  only  a presumption  of  adequacy.  Such  a presumption  can  be 
rebutted  if  there  is  an  indication  of  systemic  inadequacy 

2)  EC  cannot  limit  DPA  powers  under  article  28  by  means  of  an  adequacy  decision,  it  is  the  EU 
legislature  who  has  defined  the  powers  of  DPAs 

3)  Role  of  EDPS:  EDPS  can  monitor,  issue  guidance  and  co-ordinate,  even  if  the  EU  isn't  acting  as 
controller. 

4)  Effective  judicial  protection  is  essential  requirement  of  "adequacy" 

5)  Validity  of  SH 

• EP  has  expressed  doubts  about  SH  decision  as  early  as  2000  EC  just  ignored 

• Now  there  was  another  resolution  after  Snowden 

• EC  has  found  itself  that  there  is  mass  surivllance. 

• At  present,  US  does  not  offer  adequate  level  of  protection,  „Sytematic  inefficenties"  this 
„cannot  be  avoided".  ->  EC  cannot  / should  not  maintain  SH  decision  on  the  basis  of  the 
evidence  which  it  already  has 

• EC  has  no  power  to  maintain  SafeHarbor  given  the  facts.  It  has  a duty  to  suspend  it.  EP  has 
made  a resolution,  not  action. 

• limitation"  of  Safe  Harbor  not  an  option 


• Everyone  is  bound  to  act  under  primary  and  secondary  law.  1.  Limited  legal  effects  - 
rebuttable  presumption.  2.  When  adopting  a decision  must  take  into  account  judicial 
protection  in  the  US.  3. It  is  impossible  to  conclude  an  „adequate  protection". 

6)  Power  of  DPAs  to  investigate 

• If  there  is  clear  indication  of  systemic  violation,  ALL  EU  institutions  and  national  DPAs  are 
bound  to  act 


EU  Commission 

• If  the  EC  adopts  an  adequacy  decision,  Member  States  may  not  prohibit  transfers  based  on 
their  own  finding  of  inadequacy.  Adequacy  Decisions  must  be  applied  by  DPAs.  In  principle 
not  empowered  to  suspend,  however  not  prevented  from  taking  actions. 

• The  EC  assessment  replaces  the  individual  assessment  by  individual  Member  States  and  must 
be  applied  by  national  DPAs.  So  in  principle  DPAs  cannot  stop  transfer. 

• However,  the  SH  decision  does  not  stop  DPAs  from  investigating  adequacy  in  a particular 
instance  (only  prevented  from  doing  so  on  a general  level).  There  must  be  a certain 
indication  of  gravity  before  suspension. 

• Safe  Harbor  allows  „back  door"  in  Article  3,  but  limitations  of  Art  3 necessary. 

• Suspension  of  data  flows  under  Art  3 SH  only  when  there  is  a certain  threshold  of  privacy 
violations  [Note:  The  EC  contested  that  this  is  the  case  here.] 

• The  EDPS  is  not  responsible  for  monitoring  compliance  with  Directive95/46,  only  with 
Regulation  45/2001.  As  result,  EDPS  cannot  review/invalidate  EU  decisions  adopted  pursuant 
to  Directive  95/46.  As  long  as  there  is  no  EU  institution  processing  personal  data,  they  are 
not  competent. 

• The  concept  of  adequacy  allows  for  different  types  of  enforcement  mechanisms.  The  US 
offers  a combination  of  various  redress  mechanisms  (FTC,  self-regulatory  ...),  including 
judicial.  Together,  these  measures  offer  an  "adequate"  level  of  protection,  at  least  from  a 
procedural  perspective.  [Note:  None  of  them  hold  a remedy  in  the  PRISM  case] 

• Recent  EC  findings  suggest  there  is  excessive  reliance  on  national  security  exemptions  by  the 
US. 

Q by  Court:  You're  not  gonna  talk  about  the  validity  back  in  2000? 

A:  EC  submits  that  Safe  Harbor  was  valid  then. 

• Safe  Harbor  is  subject  to  13  points  plan 

• The  EC  therefore  can  NOT  confirm  that  the  SH  regime  still  offers  an  "adequate  level  of 
protection". 

• However,  the  EC  shouldn't  be  criticized  for  not  dismantling  SH  immediately,  as  they  are 
currently  in  the  process  of  renegotiating  it  and  to  pull  the  plug  would  be  too  disruptive  for 
these  negotiations.  EC  has  to  look  at  all  interest:  External  relations,  business,  fundamental 
rights..  EC  needs  discretion  for  the  kind  of  measure  and  timing.  The  CJEU  should  not 
prejudice  the  talks  with  the  US. 

EDPS 

• Data  protection  authorities  have  consistently  criticized  the  shortcoming  of  the  SH  decision, 
especially  in  relation  to  national  security,  but  the  overall  criticism  is  independent  from  this. 

• Mass  surveillance  inconceivable  in  2000  but  now  there  is  9/11  and  Snowden.  In  a recent 
opinion,  we  confirmed  that  SH  was  simply  not  designed  to  deal  with  mass  & indiscriminate 


surveillance.  Current  mass-surveillance  by  US  could  be  argued  to  violate  the  essence  of  the 
right  to  privacy  because,  contrary  to  DRI,  they  do  gain  access  to  content. 

• Article  7 & 8:  The  essence  is  violated,  if  one  looks  at  data  retention  case  law.  See  also 
difference  between  content  and  meta  data  - under  Data  Retention  Ruling.  Absence  of  Article 
8(2)  and  (3)  protections  in  Safe  Harbor. 

• Safe  Harbor  cannot  overrun  the  independence  by  DPAs.  Art  3(l)(b)  allows  suspension,  and  is 
not  a limitation. 

• The  EDPS  is  in  the  same  position  as  national  DPAs,  they  must  be  completely  independent. 

The  EC  cannot  affect  the  powers  of  DPAs  or  otherwise  infringe  their  independence,  they 
must  have  the  ability  to  undertake  their  own  assessment 

• As  to  the  future,  the  commitments  made  by  the  US  in  the  coming  months  must  be  sufficient, 
otherwise  EC  should  suspend  SH.  But  in  the  meantime,  national  DPAs  retain  all  their  powers 
to  investigate  under  Aticle  3. 

• Transatlantic  dialog  is  important,  but  in  this  case  there  is  a failure  of  the  essence  of  the  right 
to  privacy. 


Questions  & answers 

(first  set  of  question  asked  by  Judge  Rapporteur,  exclusively  at  EC) 

1)  Are  the  powers  of  national  DPAs  / EDPS  limited  by  article  3,1  b of  SH  decision 

A:  DPAs  have  all  powers  granted  by  article  28  of  Dir  95/46,  but  as  long  as  SH  hasn't  be 
repealed  they  shouldn't  undermine  it 

2)  VERY  explicit  questions  for  the  COM.  Recital  5 of  the  Safe  Harbor  Decision-  „should"  be 
attained.  „are  considert  to  ensure"  - What  is  this?  DO  the  Safe  Harbor  Principles,  or  SHOULD 
they  ensure  protection? 

A:  it  is  a real  finding  / decision  not  a just  a general  statement  of  presumption 

3)  Doesn't  article  25(1)  require  that  it  "ensures"  an  adequate  level  of  protection? 

A:  Overall  view  is  necessary. 

4)  And  does  "ensure"  not  mean  the  same  as  " guarantee "? 

(no  real  answer) 

5)  Re:  Annex  1,  § 4 + Annex  4(B)  of  SH  (national  security  exemption).  Question:  Let  alone  the 
exception  "necessary  for  national  security  purposes"  - what  about  the  exception  for 
"necessary  to  comply  with  any  US  law".  Are  exceptions  established  entirely  by  US  law,  how 
can  we  argue  that  there  will  be  adequacy  form  the  perspective  of  EU  law? 

A:  This  provision  requires  application  of  proportionality 

6)  Isn't  US  law  always  overriding  the  Safe  Harbor?  How  can  you  then  plead  that  his  ensures 
protection? 

COM:  Article  3(l)(b)  of  the  Safe  Harbor  are  the  „safety  valve" 


Court:  But  how  does  this  work  with  the  limitations  in  Art  3? 


7)  RE:  Article  3(l)lb  of  SH  decision  and  its  relationship  to  article  25(6).  Article  3(1)1  is  not  about 
"adequacy"  as  such,  rather  it  is  a statement  about  the  power  of  DPAs  wasn't  the  EC 
exceeding  its  authority  here?  Does  this  go  together  with  the  "independence"  of  DPAs? 
Where  do  you  take  the  power  to  limit  the  DPAs  in  Art  3 SH? 

(no  real  answer,  just  saying  that  Commission  has  power  to  do  general  adequacy  findings, 
does  not  limit  powers  in  specific  cases) 

8)  Was  there  no  duty  to  suspend? 

A:  EC  should  assess  all  interests  involved 

9)  Directive  requires  COM  to  PROHIBIT  transfers  (Recital  57).  Do  you  still  have  this  discretion? 

A:  Legal  certainty  and  EU-US  data  flows,  diplomacy  are  factors  to  take  into  account  to  not 
suspend  data  flows.. 

10)  Are  you  pleading  that  SH  decision  is  not  subject  to  the  requirements  of  article  8(3)  of  the 
European  Charter  (requirement  of  independent  supervisory  authority)? 

A:  yes.  It  is  not  the  task  of  national  DPA's  to  call  into  question  the  EC's  general  finding  of 
adequacy 

Add-on  question:  Are  you  saying  Safe  Harbor  is  not  subject  to  Article  8(3)  CFR?  well  what 
about  EC  vs.  Hungary  re:  independence  of  DPAs? 

A:  no  real  answer 


(Break  -resume  at  3PM) 


Questions  by  AG  for  EC: 

1)  question  of  vocabulary:  the  meaning  of  the  verb  "to  ensure" 

When  you  talk  about  expressing  an  obligation,  as  in  the  Directive,  it  can  be  seen  as  an  obligation 
to  ensure  that  adequate  protection  actually  exists 

A:  when  I read  article  25  as  a whole,  I see  that  it  is  up  to  the  member  states  to  check  for 
adequacy,  which  is  an  assessment  of  a situation,  not  necessarily  requires  presence  of 
international  obligation/commitment.  There  is  no  direct  obligation  incumbent  on  states  of  third 
countries.  When  the  EC  does  an  adequacy  finding,  it  has  assessed  the  solidity  of  the  system  of 
the  protection  in  the  third  country.  In  case  of  SH,  the  US  gvt  communicated  to  the  EC,  by 
administrative  letter,  the  SHPs  and  its  willingness  to  enforce  / they  informed  us  they  would  / 
made  a commitment 

2)  article  8(1)  of  the  charter 

You  said  there  is  an  area  of  exclusive  competence  of  the  decision,  which  may  not  be  evaluated  by 
national  DPAs.  But  article  8 provides  everyone  right  to  effective  protection.  How  can  this  be 
provided,  if  there  is  "exclusive  competence"  for  the  EC? 

A:  EC  cannot  say  article  8 applies  to  other  country,  we  can  only  talk  about  their  duty  to  protect 
EU  data  subjects  if  they  are  aware  of  infringements.  If  not,  the  EC  has  to  take  actions.  But  the 
decision  of  adequacy  does  not  become  illegal  from  one  day  to  another,  simply  because  we 


become  aware  of  some  developments.  We  have  taken  action  in  light  of  developments 
(renegotiations),  which  are  appropriate  in  the  circumstances 


Follow-up  Q:  but  how  does  this  relate  to  individual  case?  If  I were  on  Facebook,  what  recourse  do 
I have? 

A:  the  Commission  has  acted  immediately  upon  the  revelations,  has  found  there  were 
shortcomings  and  then  engaged  in  renegotiations.  It  might  perhaps  not  be  as  promising  from  the 
perspective  of  the  individual  user  that  there  will  be  talks  with  the  US  about  additional 
safeguards,  but  it  is  from  the  perspective  of  the  EU  and  we  will  obtain  appropriate  assurances 
from  the  US 

But  what  happens  until  then? 

Q:  your  goal  is  not  to  revoke  SH,  even  in  light  of  findings,  your  goal  is  instead  to  leave  it  in  place 
and  then  ask  for  additional  guarantees  / commitments? 

Q:  what  is  your  timeline  for  assurances  / commitments?  If  I understand  correctly,  your 
recommendations  already  date  from  2013? 

A:  we  have  sufficient  indications  that  there  is  hope  that  our  recommendations  will  be  addressed. 
Q:  but  what  can  I do  as  an  individual  in  the  meantime? 

A:  you  could  close  your  Facebook  account,  revoke  your  consent 
Q:  but  if  I wish  to  approach  a national  authority,  can  I? 

A:  yes,  but  in  line  with  article  3(l)lb 


Question  for  DPC  (from  Austrian  judge): 

Ireland  stresses  limitations  of  its  own  authority?  This  is  unusual  for  an  authority.  Is  this 
caused  by  fact  that  you  are  so  understaffed?  How  many  lawyers  do  you  have?  Is  this  caused 
by  the  fact  that  Ireland  wishes  to  be  attractive  for  US  tech  companies? 

A:  Not  sure  about  the  number  of  lawyers.  More  resources  given  to  the  DPC. 

One  still  needs  evidence. 

Q:  Can  maybe  Ireland  answer  the  question  on  the  number  of  lawyers? 

A:  we  have  increased  resources  + Ireland  applies  data  protection  law  same  as  other  member 
states 


Question  by  Lenaerts  for  EC: 

The  legality  of  an  act  is  to  be  assessed  by  the  applicable  law  at  the  time  of  its  enactment. 
However  here,  we  are  confronted  with  a decision  which  assess  adequacy  - which  is  an 
evaluation  of  a factual  context  in  a third  country  in  a particular  point  in  time.  Should  we,  15 
years  later,  be  bound  by  historical  facts?  Isn't  adequacy  something  evolving?  Isn't  there  a 
continuous  obligation  to  assess  by  the  Commission?  There  is  no  time  reference  for  reference 


of  preliminary  ruling.  So  how  can  we  deal  with  this?  Will  we  always  be  bound  by  15  year  old 
decisions,  even  in  light  of  interim  developments?  When  is  the  CJEU  able  to  assess? 

A:  implicitly  acknowledges 


Question  for  Schrems:  can  you  define  the  actual  harm  inflicted  on  client? 

A:  breach  of  essence  of  right  to  privacy,  by  virtue  of  mass  & discriminate  surveillance 
Q:  but  do  you  have  specific  evidence  of  his  case? 

A:  no,  but  this  is  not  a requirement  - a breach  of  right  to  privacy  is  sufficient  harm,  there  is 
no  need  for  demonstration  of  secondary  harm 

Q:  is  right  to  privacy  absolute? 

A:  there  might  be  overriding  interests  - but  US  does  blanket  collection,  without  claiming  any 
specific  need 


Question  for  EC:  assuming  that  indiscriminate  surveillance  of  content  took  place,  can  there  be 
overriding  interests,  which  can  still  justify  it? 

A:  the  national  security  issues  of  a third  country  are  not  as  such  national  security  issue  of  EU, 
but  if  there  is  no  safeguarding  framework  whatsoever,  there  is  no  adequacy 

And  what  is  the  answer  then? 

A:  action  is  to  obtain  additional  guarantees 


Closing  Statements  by  Schrems,  DPC,  Ireland,  Commission 

Schrems 

Essential  elements: 

1)  the  US  gvt  has  authorized  itself  mass  & indiscriminate  surveillance 

2)  the  EC  has  confessed  today  that  it  itself  cannot  protect  privacy  of  EU  citizens  once  it  has  b 

3)  EC  SH  decision  violates  its  own  legal  basis 

4)  It  is  undisputed  that  the  US  does  not  have  sufficient  domestic  laws  to  protect 

5)  Any  type  of  public  law  of  the  US  can  override  rights  of  individuals  there  is  no  adequacy 

6)  Mass  & indiscriminate  surveillance  violates  essence  of  article  8 Charter. 

7)  It  is  remarkable  that  EC  argues  that  it  is  not  bound  by  article  8 when  making  decision 

CJEU  should  undertake  full  judicial  review 

Article  3 (l)lb  should  be  considered  ultra  vires,  if  not,  it  should  at  least  be  interpreted  in 
compliance  with  EU  law 


Both  options  result  in  national  DPAs  having  power  to  set  aside  SH  decision 


The  result  of  doing  so  is  not  to  distort  the  internet  / trade,  it  simply  goes  back  to  normal  situation 
which  all  other  business  in  the  world  face  (only  about  1000  companies  have  self-certified  for  safe 
harbor,  the  rest  opts  for  normal  approach) 

States  have  positive  to  protect,  so  obliged  to  investigate  reasoned  complaints 

DPC 

Mr.  Schrems  has  not  been  harmed  in  any  way,  the  NSA  is  not  interested  in  essays  by  law  students 
National  DPAs  shouldn't  be  allowed  to  gradually  dismantle  safe  harbor. 

Digital  Rights  Ireland 

Article  3 is  important,  but  the  "Safe  Harbor"  is  overall  not  adequate.  If  Article  3 is  fixed,  it  would 
still  refer  to  "principles"  that  do  not  guarantee  adequate  protection. 

Ireland 

If  SH  is  inadequate,  even  if  its  adhered  to,  then  article  3(l)b  can  in  no  way  limit  the  rights  of  EU 
citizens.  Ireland  welcomes  clarify  from  CJEU  on  this  issue 

European  Commission 

On  the  distribution  of  powers:  if  the  EC  has  the  power  to  adequacy,  it  must  also  have  power  to 
find  adequacy  on  certain  conditions  EC  must  be  able  establish  adequacy  in  principle,  which 
may  not  be  the  case  in  a particular  instance.  Irish  DPA  has  no  power  to  review  adequacy  decision 
as  such. 

A harmonized  approach  is  necessary  to  ensure  proper  functioning  of  internal  market  ->  should 
remain  hands  of  the  EC 


Advocate  general  will  deliver  opinion  on  24th  of  June  2015. 


